In cybersecurity, everything is evolving rapidly. It is an ongoing battle between adversaries and defenders. And the terrible thing is, the defenders indeed drew the short end of the stick. They need to defend against any type of threat while the adversary has the time and can sharpen and perfect his threat. Therefore, the logical question is ‘How do you keep up with the developments of the adversaries?’
But before you think this article is only about Cyber Threat Intelligence (CTI), then you are wrong. To know what is applicable to the environment you are defending, you need to understand and know the environment. Do you genuinely know which asset is running which version of a component of an application?
Yes, this is one of the lessons learned from the Log4J vulnerability. You not only need to know which application is running on which asset, but also you need to know on which components the application depends. But where and how to store this data?
Most CMDB solutions cannot handle this data avalanche. And you do need this information for every asset on your network. Without this information, the CTI team will have a hard time trying to figure out if the received threat intelligence is applicable to the environment. Just reflect on the Log4j vulnerability, how good were you in identifying if the reported vulnerability was applicable to your environment?
Once you do understand your environment, you need to think about the adversaries. Which Advanced Persistent Threat (APT) Groups are interested in the company you are defending? But no, APT groups who are not interested in your company, can be ignored. They just have a lower priority rating. You still need to monitor and analyze their behavior. How often do you evaluate the APT groups?
But knowing which APT groups are out there, is not enough. The threat landscape itself is also rapidly evolving. Remember, adversaries, are constantly improving and/or changing their techniques and tactics. They deeply understand once their signature is identified, everybody knows how to defend against it.
But where and how do you store this valuable and most often sensitive data? A CTI platform can only hold a portion of the data and often does not really integrate properly with another tool, even though most of these platforms support exporting data. The security department is starting to look more and more like a data science department. But do you have the right set of skills within your security department?
The Security Operation Center (SOC) will only come into the picture once the threat signature has been identified. Only then they can start building the use case. Within the SOC there is another important piece of the puzzle. Their tooling collects and processes a high variety of data. The Cyber Threat Hunting (CTH) needs this information to verify if the intelligence they have received from the CTI team has already materialized.
But even if the answer is no, do remember that threats are rapidly evolving. You need to analyze how much correlation there is with existing signatures. Detection use cases that are implemented by SOC depend on the accuracy of the threat signatures.
There is another troublesome piece of the puzzle with threat signatures. You can define the use case a little bit broader to also catch the threat if the correlation rate is above/below a certain percentage, but then the question is ‘what is the desired threshold for the correlation rate?’. If the correlation rate is set too wide, the SOC will have to deal with too many false positive alarms. If the correlation rate is set too narrow the SOC could be blind against the threat. This is why it is a troublesome piece of the puzzle, you need to discover the sweet spot and this varies case by case.
And to make it all even more complex, there is also a time constraint because everything is evolving constantly. Therefore, you (as a defender) do not have the luxury of spending much time on it. Automation is key to this all. You need to be able to quickly process the incoming data avalanche of threat intelligence. Without automation, the effectiveness of your cyber hunting team is low. And this applies to both the CTI and CTH teams.
And the worse thing is there is no magic bullet to solve this. Every company and every environment is different. Therefore, every security department needs to develop its own magic solution for this data avalanche. And not many security departments have actually done this. They do not have an integrated approach to this data avalanche problem.
And it is even worse. As long as there is no integrated approach within the company for this problem, every team will try to find a solution that is best for them. This is not only wasting a part of the budget but it could also slow down various processes.
Leave a Reply